E-discovery: 4 scenarios that call for computer forensics

A working knowledge of the science of computer forensics should be an essential part of every litigation counsel’s e-discovery toolkit. Unlike traditional e-discovery, which only compels the exchange of computer data that is reasonably accessible, computer forensics uncovers computer data that is hard to reach, has been lost/destroyed or is too voluminous/disparate to comprehend.

Although the information uncovered after a forensic analysis can often alter the course of a case, it can be risky and expensive. It generally costs between $500 and $800 to collect and preserve a hard drive. Moreover, a licensed computer forensics specialist (whom you must engage if you want your evidence to hold up in court) will charge between $100 and $250 per hour to analyze the collected information, and even though you’ve spent the money, there is no guarantee the analysis will yield a shred of information that is useful to your case. Therefore, to hedge your company’s risk, you should understand how computer forensics can help your case before engaging an expert.

Business disputes that traditionally benefit from computer forensics

Although every case will require an independent assessment of the costs of computer forensics vs. the benefit of the information it might yield, there are a few fact scenarios in which computer forensics has proved helpful.

1. Deleted information/Destroyed device

Just because you can’t find it doesn’t mean it’s lost forever. “Deleted” computer files are not destroyed; they are saved in a computer’s “unallocated space,” in a format not easily understood by humans. A computer forensics specialist can retrieve and understand information that was previously deleted, including (but not limited to) emails, Internet browsing history, document drafts and calendar appointments. Furthermore, computer forensics specialists have been able to uncover similar data from devices that appear to have been physically destroyed (e.g., fire, water damage, will not turn on). Therefore, if you believe your case involves important information that may have been deleted from a device, or a device itself that has been destroyed, don’t assume the information you seek is lost. Instead, consult a computer forensics specialist to ascertain what’s left.

2. Stolen/Leaked information

Whether someone improperly downloaded information to a thumb disk or stole it through illegal online access to your company’s computer system, computer forensics can help you determine what information was stolen, when it was stolen and (in some instances) who stole it. This capability is especially helpful in proving that former employees have absconded with a company’s intellectual property (i.e., financial information, client lists and other proprietary information) or that competitors are stealing trade secrets.

3. Fraud

Generally, cases of complex business fraud (whether internal or external) require expertise in the interplay between disparate and complex IT systems (e.g., how the inventory software relates to the billing software) to uncover irregularities and inconsistencies. Computer forensics is becoming increasingly adept at synthesizing voluminous data to help prove the fraud.

4. Timeline of events

Computers keep accurate usage logs, i.e., metadata. Metadata can be critical in cases in which notice or intent are elements, but can be easily (and permanently) destroyed if not collected in a forensically defensible manner.

In conclusion, forensic computing is not for every case. To use it effectively, you have to understand what information you are seeking and how it will help your case.